he reboots the machine. Why? All he changed was the sshd, and he restarted that already. then he backs up the real sshd in a java directory the guy didnt have before.. (Shoulda cleaned that from the logs aa well, along with sshd restart and set the modified date back)
There is a reason why you shouldn't turn off a compromised computer. You have to figuer that most signs of an actual intrusion VIA: buffer overflow, the first set of changes will all happen in-memory. Plus the idea is that if a user just ignores it then it gives some insight into what type of people are on the other end. But yeah... none of that was needed at all and considering how few machines this thing would actually pwn... Hummm.